IMAP/POP3+SSL/TLS are disabled

Reported by Ilmari Vacklin on 2006-05-12
340
This bug affects 46 people
Affects Status Importance Assigned to Milestone
Mail Notification
Fix Released
Unknown
mail-notification (Debian)
Fix Released
Unknown
mail-notification (Ubuntu)
Medium
Pascal Giard

Bug Description

The SSL/TLS options for IMAP and POP3 are greyed out in preferences. Only the “standard” method is available.

According to Debian (http://ftp-master.debian.org/REJECT-FAQ.html), the license of mail-notification is incompatible with the license of OpenSSL and hence Debian ships mail-notification packages with SSL support disabled.

Packages for Ubuntu with mail-notification compiled with SSL support are available from this PPA:
https://launchpad.net/~mail-notification-ssl/+archive/ppa

severity 286672 important
thanks

Not having SSL support renders the packages useless for a lot of people
(including me). The mail-notification homepage provides a .deb with SSL
support (I'm using that one in the mean time). It's really easy to fix (one
compile flag), so please fix it.

  bye, Wouter

--
:wq mail <email address hidden>

now she's gone love burns inside me -- black rebel motorcycle club

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 286672 wontfix help

thx!

| SSL was disabled in this application. Why? Is it just a
| configuration problem or the program's bug? Without SSL,
| mail-notification became useless to me.

it's not a bug nor a configuration problem.
i had to disable it for mail-notification to be accepted in Debian.

here's what i previously got from an ftp-master:

This software is licensed under the GPL but appears to link with
OpenSSL. This doesn't work due to license conflicts (see
debian-legal, debian-devel-announce archives for more details).
Please convince upstream to add an exception to the GPL which allows
linking with OpenSSL or point out if I am missing something.

- -- end of extract

Jean-Yves disagrees with the interpretation done by the debian legal team:

As long as dynamic linking is involved, I do not agree with that
interpretation.

Mail Notification does not contain OpenSSL code, and therefore the
clauses #3 and #6 of the OpenSSL license do not apply to it.

As of GPL clause #6, the "Program" is Mail Notification, not Mail
Notification + the libraries it may dynamically link against.

If this is a problem for the Debian project, I suggest you ship a
package compiled using ./configure --disable-ssl. I'm not changing my
license.

Regards,
Jean-Yves Lefort

- -- end of extract

See the following link for more information about the OpenSSL+GPL
license issue:
http://www.gnome.org/~markmc/openssl-and-the-gpl.html
<http://www.gnome.org/%7Emarkmc/openssl-and-the-gpl.html>

I'm tagging this bug wontfix and help as i can't do anything about it.

- -Pascal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBynT51Lfd97FsypURAsJaAJ40WODYrSlECygatK/kyRh0Efz3VwCgpU0K
CLMWodlTW2aVAWaTJMjq0Fc=
=j7HY
-----END PGP SIGNATURE-----

Since the author explicitly expressed that the program can be
distributed with dynamically linked OpenSSL. Why not just use the email
from the author as a permission statement and include it in the
documentation?

--
Chun-Chung Chen

The SSL/TLS options for IMAP are greyed out in preferences. Only the "standard" method is available. ldd says that mail-notification does use gnutls (is it just for SASL then?). Upstream site mentions openssl instead of gnutls.

Ilmari Vacklin (wolverian) wrote :

Sorry, forgot to mention that this is on current Dapper.

David Planella (dpm) wrote :

AFAIK, mail-notification uses OpenSSL, which cannot and will not be used in Debian due to licensing issues. That's why the SSL/TLS options are not available in the universe package (the --disable-ssl option is also explicitly specified in the debian/rules file).

In short, I don't think this bug will be fixed unless OpenSSL changes its license or mail-notification starts using gnutls instead. Shame though, since I'd also like to be able to use SSL.

Ilmari Vacklin (wolverian) wrote :

Thanks, I'll take this upstream (mail-notification) then.

If there is any way to provide SSL support for this package, I would be very
grateful. I understand there may be some licensing issues but I think
upstream should reconsider. Not having SSL support renders this application
useless for me.

Thank you.

Charles, you have to take it up with upstream. Debian simply does not
have permission to distribute binaries of mail-notification compiled
with OpenSSL support.

Another alternative would be to port mail-notification to use the Gnu
TLS library... :)

--
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078

As a follow up on this, i'm currently looking into patching
mail-notification to use GnuTLS instead of OpenSSL.
Now, please don't read this as a promise that SSL/TLS support will be
back in mail-notification soon.

If you're willing to help on this front, you're very much welcome.
You can help by:
- writing a patch;
- giving tips on doing the port;
- providing anything else relevant to this task;
- trying to convince the upstream author that it would be a good idea[?].

It might also be of interest to mention that Ubuntu users would also
like to see SSL/TLS support. See bug report:
https://launchpad.net/distros/ubuntu/+source/mail-notification/+bug/44335

-Pascal
--
Homepage (http://organact.mine.nu)
Debian GNU/Linux (http://www.debian.org)

Changed in mail-notification:
status: Unknown → Confirmed

I don't know if I'm right to post this here. If it's wrong, I apologise in advance.

For those who don't care so much about what debian thinks, I have made a "non-free" version of the mail-notification package with ssl enabled (for dapper). I have renamed it to mail-notification-ssl and it conflicts of course with mail-notification.

I have tested it on my computer and it works well. I really haven't changed much in the original package so I doubt it could cause any kind of trouble.

I must nevertheless warn you that this is the first time I compile a package ever. I have followed the ubuntu guide to creating a package.

I don't really want to host a deb repository for just one package (for now) so I'll just leave the package on my server, accessible via http: http://daluzduque.be/stuff/dapper_packages/mail-notification-ssl_2.0.dfsg.1-2ubuntu2_i386.deb

I did this package because there was no clean way to enable ssl in mail-notification. You had to compile it yourself. Now you can do it "the clean way" (well ok you can't have apt-get retrieve it for you, but it's a lot easier for beginners now with this package and gdebi)

Gustaf (opera) wrote :

mail-notifications is completely useless to any reasonable person since it doesn't handle ssl. It has been like this for _many years_ in debian, and my question (unanswered) has always been: Why the heck compile against openssl and not gnutls? gnutls has an openssl wrapper, so it should be a rather simple thing to do. Why even have this package in ubuntu when it is completely useless? Please don't tell me you Want people to not use ssl?
This is unfortunately pathetic. Years of unusable.
Thanks for the package Nicolas, but I'm on edgy, and I don't like packages which synaptic/apt wants to remove for every update I do.

It's just unbelievable. Completely unbelievable. I don't even understand why OpenSSL is in debian/ubuntu in the first place. Build the programs against GnuTLS, so we can get rid of all these non-issues which is only due to maintainer lazyness.
You have to excuse me, all of you are doing a good job, but this IS lazyness. And it has been like this for YEARS. Is nobody using mail anymore?

Maybe when everyone started to blog, cause they thought people cared what they think, they forgot about mail, I dunno.

Changed in mail-notification:
assignee: nobody → pascalgiard-debian
status: Unconfirmed → Confirmed
Ilmari Vacklin (wolverian) wrote :

This seems to be fixed on Feisty. Please revert if I am hallucinating.

Changed in mail-notification:
status: Confirmed → Fix Released
Mikael Nilsson (mini) wrote :

The options are in the GUI, but don't seem to work. I still see

DEB_CONFIGURE_EXTRA_FLAGS += --disable-ssl --with-gconf-schema-file-dir=/usr/share/gconf/schemas

in debian/rules. Thus, reverting.

Changed in mail-notification:
status: Fix Released → Confirmed
Peter Clifton (pcjc2) wrote :

Ubuntu != debian,

I think Ubuntu ought to re-ship the mail-notification package with --enable-ssl

In the mean time, fetching the sources yourself and re-compiling with ssl enabled is pretty easy. There is, however, an upstream bug which means the default trusted certificates aren't picked up on the system, so you have to verify the certificate fingerprint manually, and accept / decline it.

Nicolas da Luz Duque (hot-boy) wrote :

I totally agree with Peter.

Peter Clifton (pcjc2) wrote :

As an extra note, you can fix the bug of not having any trusted SSL CAs, with the following line:

  SSL_CTX_set_default_verify_paths( ctx );

added before:
  G_UNLOCK(init);

in the function:

SSL_CTX *
mn_ssl_init (GError **err)

in the file src/mn-ssl.c

This modification adds the default system trusted CAs to the list of verification sources OpenSSL will use to check certificates in this app.

On Wed, Apr 11, 2007 at 06:19:19PM -0000, Peter Clifton wrote:
> I think Ubuntu ought to re-ship the mail-notification package with
> --enable-ssl

Why? The OpenSSL license and the mail-notification license (GPL) are
incompatible.

--
Ilmari Vacklin
<email address hidden>

> Why? The OpenSSL license and the mail-notification license (GPL) are
> incompatible.

This may be Debian's take on the issue, but the author of mail-notification doesn't believe it to be the case. If he wanted, he could add an exception clause to his GPL license, but he doesn't believe there to be a problem in the first place.
Surely this common sense being to ship with --enable-ssl?

If debian believe it is the GPL program which must be graced by its copyright holder with an exception, surely the author's opinion counts here? (Or are we more thinking of the purity of the GPL, and the freedoms it gives software users?)

http://www.openssl.org/support/faq.html#LEGAL2 :

"On many systems including the major Linux and BSD distributions, yes (the GPL does not place restrictions on using libraries that are part of the normal operating system distribution)."

It seems that debian's stance is fairly hard-line. My real question, is should Ubuntu automatically follow the same stance?

On Thu, Apr 12, 2007 at 01:34:20PM -0000, Peter Clifton wrote:
> "On many systems including the major Linux and BSD distributions, yes
> (the GPL does not place restrictions on using libraries that are part of
> the normal operating system distribution)."

The difference between Debian and Ubuntu here is that Ubuntu does not
ship mail-notification in main (i.e. along with the OpenSSL libraries).
This might indeed allow Ubuntu to compile mail-notification with OpenSSL
enabled. I am not sure this is the right interpretation, however. Seems
like we need a legal opinion on this.

--
Ilmari Vacklin
<email address hidden>

Mikael Nilsson (mini) wrote :

tor 2007-04-12 klockan 13:34 +0000 skrev Peter Clifton:

>
> It seems that debian's stance is fairly hard-line. My real question, is
> should Ubuntu automatically follow the same stance?

Well, AFAIK the stance is more of the form "we can't afford any legal
trouble, so we'd better take the safe route". It's not really
fundamentalist, more like pragmatic from an organization without legal
resources.

One option that was discussed in the debian bug was to simply recompile
it with the GNU TLS openssl compatibility library:

http://www.gnu.org/software/gnutls/manual/gnutls.html#Compatibility-with-the-OpenSSL-library

Is this a solution?

/Mikael

Mikael Nilsson (mini) wrote :

tor 2007-04-12 klockan 14:26 +0000 skrev Mikael Nilsson:
> One option that was discussed in the debian bug was to simply recompile
> it with the GNU TLS openssl compatibility library:
>
> http://www.gnu.org/software/gnutls/manual/gnutls.html#Compatibility-
> with-the-OpenSSL-library
>
> Is this a solution?

Tried it, and it does not work, due to missing definitions of

SSL_get_version
SSL_get_verify_result
X509_V_OK
X509_digest
EVP_md5
X509_verify_cert_error_string

in gnutls/openssl.h

Too bad.

Pascal: have you had more luck with a full GNU TLS port?

Still an issue in Gutsy (testing) - mail-notification is linked against libgnutls, settings are available in GUI, but don't work... (at least not for GMail...)

Changed in mail-notification:
status: Confirmed → Won't Fix
Christopher Denter (dennda) wrote :

Yes. This is rather annoying.
Nobody really uses unencrypted connections to his mailserver (me neither).
This programm could be really cool, but the lack of support for encrypted connections makes it absolutely useless (to me).

regards

On 4/12/07, Mikael Nilsson <email address hidden> wrote:
> tor 2007-04-12 klockan 14:26 +0000 skrev Mikael Nilsson:
> > One option that was discussed in the debian bug was to simply recompile
> > it with the GNU TLS openssl compatibility library:
> >
> > http://www.gnu.org/software/gnutls/manual/gnutls.html#Compatibility-
> > with-the-OpenSSL-library
> >
> > Is this a solution?
>
> Tried it, and it does not work, due to missing definitions of
>
> SSL_get_version
> SSL_get_verify_result
> X509_V_OK
> X509_digest
> EVP_md5
> X509_verify_cert_error_string
>
> in gnutls/openssl.h
>
> Too bad.
>
> Pascal: have you had more luck with a full GNU TLS port?

Mikael nicely summed up the problems and respective positions.

Unfortunatly, i don't have the time to add GNU TLS support to
mail-notification but this seem like the best way to go.

For those who, _like me_, absolutly want SSL support... well, you can
rebuild the mail-notification package after removing --disable-ssl in
debian/rules (changing the version number in changelog is also a good
practice so you don't get confused with official packages).

In the Debian Bug Tracker, i've tagged that bug "help" and this still applies.
I welcome with open hands anyone who could provide a patch
implementing SSL support using GNU TLS.

-Pascal
--
Homepage (http://organact.mine.nu)
Debian GNU/Linux (http://www.debian.org)
LACIME: École de technologie supérieure (http://lacime.etsmtl.ca)

Hi,

a simple workaround for the missing SSL/TLS support is using stunnel4 in client mode.

http://www.roessner-net.com/mail-notification-workaround.txt

PatRiehecky (jcpunk) wrote :

Here is a good set of instructions for making your own package to work around this: http://www.howtoforge.com/repackage_deb_packages_debian_ubuntu

LEVIS Cyril (atlas95) wrote :

Someone has compil it for i386?
Thanks

Matti Lindell (mlind) on 2008-03-01
description: updated
Changed in mail-notification:
status: Unknown → Won't Fix

Solution: Put mail-notifications-ssl to multiverse. Use packages linked in this bug.

Reasoning:
- Gustaf: "mail-notifications is completely useless to any reasonable person since it doesn't handle ssl."
- README.Debian: "It doesn't look like the [SSL] issue is going to be solved soon."
- PatRiehecky's link: "Remove the '--disable-ssl' option from the [debian/rules] line with definition of the variable DEB_CONFIGURE_EXTRA_FLAGS"
- Nicolas da Luz Duque: "I have made a 'non-free' version of the mail-notification package with ssl enabled"
http://daluzduque.be/stuff/dapper_packages/mail-notification-ssl_2.0.dfsg.1-2ubuntu2_i386.deb

So why not put mail-notifications-ssl to multiverse?

I'd gladly do so but at this point i'm overflowed with real life.
I'd very much like help, could you help?

Eventually a co-maintainer for m-n would be very nice...

-Pascal

On Mon, Apr 28, 2008 at 8:41 AM, Tero Karvinen
<email address hidden> wrote:
> Solution: Put mail-notifications-ssl to multiverse. Use packages linked
> in this bug.
>
> Reasoning:
> - Gustaf: "mail-notifications is completely useless to any reasonable person since it doesn't handle ssl."
> - README.Debian: "It doesn't look like the [SSL] issue is going to be solved soon."
> - PatRiehecky's link: "Remove the '--disable-ssl' option from the [debian/rules] line with definition of the variable DEB_CONFIGURE_EXTRA_FLAGS"
> - Nicolas da Luz Duque: "I have made a 'non-free' version of the mail-notification package with ssl enabled"
> http://daluzduque.be/stuff/dapper_packages/mail-notification-ssl_2.0.dfsg.1-2ubuntu2_i386.deb
>
> So why not put mail-notifications-ssl to multiverse?
>
> --
> IMAP/POP3+SSL/TLS are disabled
> https://bugs.launchpad.net/bugs/44335
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Homepage (http://organact.mine.nu)
Debian GNU/Linux (http://www.debian.org)
LACIME: École de technologie supérieure (http://lacime.etsmtl.ca)

cecil_t (greg-hasslers) wrote :

The deb package referenced is almost 2 years old, is there a newer deb package with SSL support? Something for Hardy?

Andrew (andrew-rw-robinson) wrote :

Just follow the suggested instructions to build your own modified deb with SSL enabled at:
http://www.howtoforge.com/repackage_deb_packages_debian_ubuntu

Hopefully a mail-notification-ssl will make it into ubuntu someday

AZ (m-dev) wrote :

I took http://savannah.nongnu.org/download/mailnotify/mail-notification-5.4.tar.bz2 (most recent) and add gnutls (2.0.4 as installed in hardy) support.
It works for me but I'm pretty sure that there are still some bugs around I somehow missed, so better somebody else looks over it before applying it.

I basically added a new option "gnutls" parallel to "ssl" (=> openssl), where gnutls suppresses ssl in auto configuration.
Next, I replaced all #if WITH_SSL (and similar) definitions with #if WITH_SSL || WITH_GNUTLS. (These changes also applied to the code generated from gob, as I don't have gob2 2.1.16) .
Further, jbsrc/lib/src/extra/jb-gnutls.{c,h} and src/mn-gnutls.{c,h} got added, the latter contains some useful functions for cert verification and the default cert path.
In src/mn-client-session.{c,h} I seperated WITH_SSL and WITH_GNUTLS and rewrote the code for gnutls.

There are three major points about it:
 * gnutls 2.0.4 does not have all functions given in online api of gnutls nor do the examples work
   (gnutls-doc-2.0.4 is somehow incomplete regarding api listing).
 * cert chain verification needs to be cared for by mail-notification, e.g. reading ca certs from /etc/ssl/certs etc.
    I decided not to use gnutls_certificate_verify_peers2 due to
     http://blog.josefsson.org/2008/02/27/real-world-performance-tuning-with-callgrind/ ,
    which was really slow on my machine. Perhaps this could be changed some day.
 * check_hostname is not used as I didn't figure out how to extract the common_name and altName(s)
    correctly but use gnutls_x509_crt_check_hostname. I don't know if gnutls_x509_crt_check_hostname supports wildcards.

AZ (m-dev) wrote :

changes to build/src , which should automatically generate if gob2 2.1.16 were installed.

Thanks AZ, this GnuTLS compilation is a big step towards the real solution to this SSL/TLS problem.

AZ kirjoitti:
> I took
> http://savannah.nongnu.org/download/mailnotify/mail-notification-5.4.tar.bz2
> (most recent) and add gnutls (2.0.4 as installed in hardy) support.
> It works for me but I'm pretty sure that there are still some bugs
> around I somehow missed, so better somebody else looks over it before
> applying it.

This is great, thanks! Have you submitted the patch upstream yet?

--
Ilmari Vacklin

Jean-Yves Lefort (jylefort) wrote :

Distributors: please do not ship a MN package with this patch applied. Its quality is rather questionable, and I do not want my reputation to be damaged by it.

Peter Clifton (pcjc2) wrote :

On Sun, 2008-05-25 at 00:30 +0000, Jean-Yves Lefort wrote:
> Distributors: please do not ship a MN package with this patch applied.
> Its quality is rather questionable, and I do not want my reputation to
> be damaged by it.

Is there going to be upstream support for GnuTLS?

If not, perhaps a fork would be appropriate to avoid this conflict.

Peter Clifton

AZ (m-dev) wrote :

I justed looked over the patch and found I forgot to remove some debugging stuff.

AZ (m-dev) wrote :

Is there a way to remove a patch from a bug report or to replace it silently?
Here comes rev3 patch containing a minor fix.

54 comments hidden view all 134 comments
Andrew (andrew-rw-robinson) wrote :

I'm trying to get this setup in a PPA. I got it to build with a different version number, but if I try to rename the binary package as "mail-notification-ssl" (did not rename the source package), the build is failing due to the output directories I think.

Anyone know all the steps necessary to get this to build under a different binary name?

That way when a new mail-notification is released, it would not automatically upgrade the mail-notification-ssl package that you would have installed.

Andrew (andrew-rw-robinson) wrote :

I have decided that if debian has decided that GPL and libssl are incompatible, I am not going to subject myself to problems by making a PPA of this either.

I am just going to keep re-packaging it.

Perhaps the author may consider switching off of GPL, or having a dual license, or if not switching libraries, but until then, we are stuck with re-packaging as that doesn't affect the redistribution clause.

Andrew (andrew-rw-robinson) wrote :

For those interested, I wrote a deb program that does the necessary steps to rebuild the 5.4 package in jaunty with SSL enabled. No steps to follow, just install my package from my PPA:

https://launchpad.net/~andrew-rw-robinson/+archive/ppa

Hope it helps.

This is how I build my package. I think this should work with Ubuntu, but I use Debian. Hopefully an Ubuntu user will report whether this works or not. You need to have deb-src lines in your /etc/apt/sources.list to download package sources. You'll have a bunch of files, so I suggest you make a directory to contain them.

apt-get source mail-notification
sudo apt-get build-dep mail-notification
sudo apt-get install libssl-dev
 (this was removed from the build dependencies)
cd mail-notification-5.4.dfsg.1
 (the name of this directory may be different on your system)

Edit debian/rules. Search for "ssl=no" and change it to "ssl=yes". You can change the version number in debian/changelog if you want to. I append ".0.ssl" to it so updates are not blocked.

dpkg-buildpackage -b -us -uc -tc
cd ..
sudo dpkg -i mail-notification*.deb

Hi Andrew and Patrick,

I can report that both of you methods work in that you get a package to install at the end, however I still have the SSL options greyed out after installation, any ideas?

Scratch that, I just had to end and restart the existing mail-notification binary i.e. "sudo killall mail-notification" and then restart from the preferences menu and the options appeared. Thanks for the solution guys.

sefs (sefsinc) wrote :

Andrew I would like to use your ppa to have your solution dump the results as a deb into a directory that i can copy from machine to machine after building in one place.

Is that possible?

sefs (sefsinc) wrote :

By the way where in the source do I change that ugly icon when there is no new mail.

Thanks.

Nikil Mehta (nikil.mehta) wrote :

I can't believe this is being argued over the course of three years. There is a two second fix for this which could be accomplished either by the ridiculously stubborn developer or the ridiculously stubborn distro maintainers. Put your egos aside and fix the problem! So dumb.

Nikil Mehta (nikil.mehta) wrote :

This is still pissing me off so another note on this...

There are potentially MILLIONS of users out there using this program and submitting their gmail password in cleartext. Jean-Yves Lefort, somebody wrote the gnutls code FOR you! I don't think you care about the security of the patch (aka your "reputation")- if you cared about security you would try to make sure that the majority of users out there are using your program in a secure manner. The fact is you don't care about security, you care about winning an argument with the Ubuntu/Debian maintainers. Which chances are you are not going to win.

And to those maintainers... this package is insecure enough that it shouldn't even be packaged and supported if you're not going to allow for OpenSSL compilation. Just remove it or allow for SSL. Seriously.

Aidan Fitzpatrick (afit) wrote :

I agree re removing this package or replacing it with another until this is fixed. It is insecure and I cannot see why many would use it without SSL. With SSL it's great, but if we have to repackage ourselves each time we install it may as well not be in the repository...

I second that.

On Wed, 2009-07-29 at 21:38 +0000, Aidan Fitzpatrick wrote:
> I agree re removing this package or replacing it with another until this
> is fixed. It is insecure and I cannot see why many would use it without
> SSL. With SSL it's great, but if we have to repackage ourselves each
> time we install it may as well not be in the repository...
>

Phoenix (phoenix-dominion) wrote :

As bug reporter of bug #132947, who notified Ubuntu Security about the issue, I can barely express myself, as English is not my mother tongue, how poorly this issue is handled - YEARS passed by. Everyone is laughting at Microsoft when it takes them 10 months to fix severe security issues, but seeing this bug, I can well imagine why it takes so long.

If I were so, and I was, about building packages everytime myself, I would use Gentoo, Slackware or any BSD - but Ubuntu is a binary distribution, therefore I like to have a binary delivered. I want something that just works.

It needs someone to get it done on a political basis - either by fixing the issue or removing the piece of insecure code.

my 2c
Philipp

Karol Pucyński (kpucynski) wrote :

3 years and still arguing... come on! Is it really such ideological issue to enable SSL? :/

Download full text (3.6 KiB)

This is what we in the U.S. call a Mexican standoff. This is a human problem, not a technical problem. Free software has been burdened by it for decades. This is why Emacs forked and XFree86 stagnated for years under bad management until Keith Packard staged a coup. Most free software developers and maintainers are volunteers, so they can't be forced to do anything. They are free to behave like children if they wish.

I'm concerned when people say things like, "I admire your devotion to your principles, but . . . " in situations like this, because they're confusing integrity with inflexibility. If I refuse to do something which I consider immoral, I am demonstrating integrity. If I'm asked to do something legal, moral, and easy, but I refuse because I believe my interpretation of the rules should prevail, and any who have the temerity to disagree with me must submit to my superior opinion, even if that process is prolonged and inflicts collateral damage upon people who aren't even privy to the dispute, then I'm being inflexible.

This situation is analogous to one I repeatedly encounter in my interactions with children who have Asperger's syndrome/high-functioning autism (I have it, too, like many programmers). Two autistic children who are playing a board game will disagree about the correct interpretation of the rules and they deadlock, neither making a move, each absolutely focused on winning the argument and making the other relent, so they miss the opportunity to enjoy the game, which was the original point.

This behavior isn't admirable, it's petty. The children aren't defending moral principles. They just want everything their way. While there's nothing illogical about what they're doing, it's inconsiderate. They take do-or-die stands on trivial issues because they don't consider what other people might regard as important. Many people think this is simple selfishness, but this is actually a manifestation of a problem we have appreciating, in general, the perspectives of other people, and, specifically, considering the harmful effects our actions will have on other people, particularly bystanders.

I actually agree with Jean-Yves Lefort's interpretation of the Debian policy document, but I'm more sympathetic to Debian's position because I think it's an overly cautious response to a legitimate fear of being destroyed by lawsuits. Even if the lawsuits have no merit, the cost in money and time (especially time) can be severely damaging. Their position may be technically incorrect, but I believe it's understandable in light of the threats to free software (e.g. SCO vs. Linux, a perfect example of a lawsuit without merit consuming time and resources).

I want to emphasize, however, that either side could resolve this standoff. That is the nature of any Mexican standoff. Debian could and should fix the policy document so that people like Jean-Yves and me don't interpret it the way we do, since that isn't their intention. They should do this without regard to what Jean-Yves chooses to do or not do. It will only benefit them in the long run. Whether they will or not, however, is something only they control.

In closing, I'd like to assure bot...

Read more...

Jeremy Nickurak (nickurak) wrote :

Jean-Yves Lefort:
You mentioned willingness to add this clause to your README file, which would apparently solve this. Any chance you could provide such a clause quickly, with no other source/feature-changes to mail-notification? We as users of this program (which so far fills a gap nobody else seems interested in working on...) would, I think, all greatly appreciate it

unggnu (unggnu) wrote :

I hope that this gets fixed until the release of Karmic. I mean a setting like this is insane with a Laptop or Netbook.
Even worse it is not so easy possible to compile an own version of mail-notification in Karmic because of https://bugs.launchpad.net/ubuntu/+source/mail-notification/+bug/435789 .

At least after this there is no need to read a Jane Austen novel, we got all the stuff here ;D

If you can't recompile, you can use Stunnel. It binds to a port on your computer and forwards traffic with encryption (like ssh, but you don't need a shell account on the remote host). This is how Conky does secure email checks. Read the Conky FAQ at http://conky.sourceforge.net/faq.html (Q #10) to get it working. The Stunnel configuration will work just as well for mail-notification as it will for Conky.

You may even end up replacing mail-notification with Conky, like I did.

AZ (m-dev) wrote :

Hi,

more than a year ago I provided a patch for mail notification to work with gnutls hoping
that this would speedup either distribution with openssl or gnutls enabled.
At that time, creating a gnutls enabled mail notification package failed due to a lack of time
of the involved persons. As it looks to me that distributing mail notification with openssl
support enabled will still take some more time before it happens, I've now updated
the mail notification 5.4 ubuntu jaunty source package to come with gnutls enabled.

Though, the upstream author mentioned in comment 64 that he would dislike
such a package being named mail notification. That's why I renamed the package
to secure mail notification. As soon as debian and ubuntu decide to distribute
mail notification with openssl support enabled, secure mail notification will become
obsolete.

For those who cannot await secure mail notification being in the universe repository,
I'm uploading a signed binary (jaunty x86) and the source package.

6 comments hidden view all 134 comments
AZ (m-dev) wrote :

comment #106 : main application binary
comment #107: evolution plugin binary
comment #108: changelog for binaries
comment #109: source description
comment #110: source to extract
comment #111: changelog for source

AZ (m-dev) wrote :

Cleaning up the patch files by removing all changes from files that can be regenerated on jaunty.
This leads to the server dbus interface working again.
Futher, ubuntu jaunty binaries and source packages for secure mail notification and vanilla patches against mail notification 5.4 have been grouped into an archive and supplemented by a short readme explaining the patch files.

Dear package maintainer,

please find patches to make mail notification work with gnutls
attached to the ubuntu bug report. They apply to the vanilla
mail notification 5.4 and introduce only gnutls as a new build
and runtime dependeny (no diff for control file included).

Sincerely
 AZ

unggnu (unggnu) wrote :

The only workaround for Karmic I have found so far is to compile mail-notification (with SSL) in Jaunty and use this package for Karmic.

AZ (m-dev) wrote :

The important step for karmic is to remove libeel2-dev from the list of dependencies as well as to apply bug #443406.

MP (marcopugge) wrote :

Shipping this package without builtin ssl support is wrong whatever the reason, so please:
- try and find a way to accomodate ubuntu rules with the author's opinions and ship a package with ssl support
- build a package with ssl support and ship it in multiverse
- remove the package entirely from ubuntu repositories and let the users go to the author homepage to get it

Having this bug still opened after 3 years of arguing is a shame for both the distributor and the author.

Is not Ubuntu the distribution where things just works?

MP (marcopugge) wrote :

In my previous comment I obviously suggest to follow one of three options listed. Sorry but english is not my first language..

I also want to make clear that if we are so pissed off is because mn is a really great piece of software (thanks Jean-Yves!) that deserves to be fully appreciated by the users.. having it broken is not a good advertisement for anyone.

David Jurenka (jurenka) wrote :

This bug may well remain open for another couple of years. In the meantime, I've created a PPA with mail-notification as conceived by its upstream author, i.e. with SSL enabled.

https://launchpad.net/~mail-notification-ssl/+archive/ppa

Packages for all current releases (Hardy through Lucid) are available.

John Paulett (johnpaulett) wrote :

David, thanks for creating this ppa! It has worked well so far.

Rod J (rod-jamieson) wrote :

Thanks David ... I didn't feel up to compiling the source just yet so your work is appreciated :-)

description: updated
cnom (cnom) wrote :

Comment #72 by Jean-Yves Lefort on 2008-10-05:
> I own the "Mail Notification" trademark. Shipping a modified
> MN version that I have explicitly been disagreeing with is
> called trademark infringement. If someone wants to legally
> distribute such a MN version, he has to change the name of
> the application.

Aside from everything else, please disregard this particular nonsense. It might be preferable to not take the same name to preclude misunderstandings or out of respect, but there is no such thing as trademark protection of generic names. If you want to protect your trademark, choose a distinctive name.

Anyone interested, look up "trademark distinctiveness", "descriptive marks, and "generic marks".

Hold on, Mail Notification might well be a registered trademark in a
particular jurisdiction, the rules vary widely as to what is allowed as
a TM and what is not. If the original author does have a point on this,
we should respect it.

Mark

Ok so, change the name and lets get this sorted once and for all.

Carsten Agger (agger) wrote :

I would like to add that as much as I'd like to use mail-notification, I also regard it as completely useless unitl SSL/TLS support has been added.

Changed in mail-notification:
status: Won't Fix → Confirmed
Changed in mail-notification (Debian):
status: Won't Fix → Confirmed
Changed in mail-notification:
status: Confirmed → Fix Committed
Changed in mail-notification (Debian):
status: Confirmed → Fix Committed
Changed in mail-notification:
status: Fix Committed → Fix Released
Changed in mail-notification (Debian):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mail-notification - 5.4.dfsg.1-2.4ubuntu3

---------------
mail-notification (5.4.dfsg.1-2.4ubuntu3) oneiric; urgency=low

  * SSL enabled (LP: #44335). New Debian license interpretation:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286672#68
  * debian/patches/looser-gconf-check.patch:
    Drop default checks when default values don't apply (LP: #845990).
 -- Gunnar Hjalmarsson <email address hidden> Mon, 26 Sep 2011 08:11:28 +0200

Changed in mail-notification (Ubuntu):
status: Confirmed → Fix Released
Displaying first 40 and last 40 comments. View all 134 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.